Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Spammers Stay Busy Despite Pushdo Botnet Hit

The disruption of the Pushdo botnet has not stopped spammers, despite nearly two-thirds of the botnet's command and control servers being taken out of commission.

From the shutdown of McColo to last week's disruption of the Pushdo botnet, spammers have continually found ways to stay in business.

Nearly 20 of the 30 command and control (CnC) servers associated with Pushdo were taken offline last week due to efforts by security vendor LastLine. The servers were supported by eight hosting providers, some of which did not respond to the vendor's requests for action.

According to Thorsten Holz, senior threat analyst with LastLine, the goal of the company's research was not to completely take down the botnet, but to gain insight into Pushdo's CnC infrastructure. At full strength, the botnet was believed to be responsible for between 7 and 10 percent of all spam.

"We worked with different hosting providers and [got] a quick response from many of them, but unfortunately not all providers reacted on our abuse requests," he said. "Especially the hosting providers from China did not react at all, which is kind of disappointing.

"Considering the fact that the entire botnet was not taken down thanks to these bulletproof hosting companies, it appears that the botnet was still able to operate and create a good deal of traffic," said Fred Touchette, senior security analyst at AppRiver. "Virus levels are down overall on the other hand, but not much, and it's unclear whether or not this is due to the takedown efforts."

In order for a botnet shutdown to be effective, all CnC servers have to be taken down simultaneously, said Gunter Ollmann, vice president of research at Damballa.

"If even one single CnC server is left up, the botnet will still be operational," Ollmann said. "Then, once the botnet operator has spun up some of his spare or reserve CnC servers, he simply pushes a configuration file update down to all the victim computers within the botnet with the list of the new CnC servers. The only other way to permanently shut down a botnet is to locate and remove the operators themselves-but even this has problems as evidenced in the almost comic way in which the botnet operators behind the Mariposa botnet were able to resume control [temporarily] after being arrested."

In response to the takedown, Touchette expects those in control of Pushdo will continue to spread their control servers across various countries and hosting companies to guarantee uptime.

"They may even begin to develop new code for their botnets which change the way they can communicate with each other in order to protect their numbers," he said. "Something like a peer-to-peer communication between the bots themselves would eliminate the need for centralized command and control servers."

The list of command and control servers is not static, added Ollmann, and can be dynamically changed at any time.

"Most botnet operators factor in a certain degree of attrition to their CnC infrastructure and are therefore experienced in quickly spinning up new and additional CnC servers rapidly," he said.